Options

Omega Search - what a pain!!!

Unknown
edited May 2004 in Spyware & Virus Removal
hi there - mew to the site so not too sure if I'm doing this right...wellyou guessed it, being slammed by this Pain in the axxx things. I have padsted my HijackThis log below - anybody any ideas how I can get shut of thsi thing - Thanks.

Logfile of HijackThis v1.97.7
Scan saved at 11:00:20, on 22/05/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\DVDRAMSV.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\HIDDEN~1.EXE
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SurfSecret\Popup Eliminator\Popup Eliminator.exe
C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Graham\My Documents\HijackThis.exe
C:\Documents and Settings\Graham\My Documents\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: Popup Eliminator - {F50CE767-AE72-45EB-AECD-E8786C240373} - C:\Program Files\SurfSecret\Popup Eliminator\PEToolbar452.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKCU\..\Run: [Hidden Menu] C:\PROGRA~1\HIDDEN~1.EXE
O4 - HKCU\..\Run: [AutoUpdater] C:\WINDOWS\System32\aupdate.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PopupEliminator] C:\Program Files\SurfSecret\Popup Eliminator\Popup Eliminator.exe /min
O4 - HKCU\..\Run: [FreeRAM XP] "D:\Software\Toolkit\FreeRAM XP Pro 1.3\FreeRAM XP Pro 1.30.exe" -win
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [olehelp] C:\Program Files\Common Files\svchost.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Popup Eliminator (HKLM)
O9 - Extra 'Tools' menuitem: Popup Eliminator (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://i.rn11.com/iwasher/pptproactauthmirror/internetwasherpro.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\Resources\IntraLaunch.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin_GB.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2A38368-3360-479A-ADC4-5F08F6FE2DBE}: NameServer = 207.44.140.102 64.191.22.247

Comments

  • RADARADA Apple Valley, CA Member
    edited May 2004
    HI Maddie, welcome to Short Media, we'll help if we can.

    I'm still learning anti-spyware-ese, so I'll have one of the other guys here look at this for you too, but the main ones I see are:

    Boot into safe mode and remove these

    O4 - HKCU\..\Run: [AutoUpdater] C:\WINDOWS\System32\aupdate.exe

    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

    I've been removing Autoupdater from machines at work all week. While still in safe mode, look in your Program Files for a folder called "Auto Update". If you don't find it there, search for it and delete it.

    I think
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F2A38368-3360-479A-ADC4-5F08F6FE2DBE}: NameServer = 207.44.140.102 64.191.22.247

    is suspect too, but not sure, it won't hurt anything to leave it there till I can comfirm what it is, and whether it can be deleted.

    RADA
  • Maddie
    edited May 2004
    Thanks for that - your help is much appreciated!

    Maddie
  • Maddie
    edited May 2004
    RADA wrote:
    HI Maddie, welcome to Short Media, we'll help if we can.

    I'm still learning anti-spyware-ese, so I'll have one of the other guys here look at this for you too, but the main ones I see are:

    Boot into safe mode and remove these

    O4 - HKCU\..\Run: [AutoUpdater] C:\WINDOWS\System32\aupdate.exe

    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

    I've been removing Autoupdater from machines at work all week. While still in safe mode, look in your Program Files for a folder called "Auto Update". If you don't find it there, search for it and delete it.

    I think
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F2A38368-3360-479A-ADC4-5F08F6FE2DBE}: NameServer = 207.44.140.102 64.191.22.247

    is suspect too, but not sure, it won't hurt anything to leave it there till I can comfirm what it is, and whether it can be deleted.

    RADA
    Thnaks for your interest - the omega thing seems to have disappeared (I think!) but something else keeps trying to hikjack my home page -Ihave posted the Hijack This log - as follows - any ideas as it really is a drag!
    Logfile of HijackThis v1.97.7
    Scan saved at 19:17:37, on 28/05/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\system32\crypserv.exe
    C:\WINDOWS\system32\DVDRAMSV.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\USRmlnkA.exe
    C:\WINDOWS\SYSTEM32\USRshutA.exe
    C:\WINDOWS\SYSTEM32\USRmlnkA.exe
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\PROGRA~1\HIDDEN~1.EXE
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\SurfSecret\Popup Eliminator\Popup Eliminator.exe
    C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\WordWeb\wweb32.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hoebbda.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hoebbda.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about_:blank
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: Popup Eliminator - {F50CE767-AE72-45EB-AECD-E8786C240373} - C:\Program Files\SurfSecret\Popup Eliminator\PEToolbar452.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKCU\..\Run: [Hidden Menu] C:\PROGRA~1\HIDDEN~1.EXE
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [PopupEliminator] C:\Program Files\SurfSecret\Popup Eliminator\Popup Eliminator.exe /min
    O4 - HKCU\..\Run: [FreeRAM XP] "D:\Software\Toolkit\FreeRAM XP Pro 1.3\FreeRAM XP Pro 1.30.exe" -win
    O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Popup Eliminator (HKLM)
    O9 - Extra 'Tools' menuitem: Popup Eliminator (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .swf: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin7.dll
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/product...ontent/opuc.cab
    O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\Resources\IntraLaunch.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
    O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin_GB.cab
  • DexterDexter Vancouver, BC Canada
    edited May 2004
    Boot into SAFE MODE, run HJT, and FIX the following:


    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hoebbda.dll/sp.html (obfuscated)

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hoebbda.dll/sp.html (obfuscated)

    O4 - HKCU\..\Run: [Hidden Menu] C:\PROGRA~1\HIDDEN~1.EXE

    (This above may be a legit program used to hide programs or menus on your computer. If you recall intentionally installing such a program, leave this entry alone, and skip my next step. If you do not recall ever installing such a program, fix that entry, and proceed to the next step.

    Next, find the file C:\PROGRAM FILES\HIDDEN~1.EXE. Move it to a new folder I want you to make: C:\Quarantine. Change the extension from ".exe" to ".xxx." This is preferable to deleting because you can than rename and recover the file if it turns out to be needed for something after all.

    That should solve your troubles. Reboot normally, and let us know. If the obfuscated entries return, there are a couple of other things we can try.

    Dexter...
Sign In or Register to comment.